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Amendments to the Claims; 

This listing of claims will replace all prior va^ions, and listings, of claims in the 
application: 

Mstingoy Claims; 

1. (Currently amoided) A computer system for detecting and monitoring network intrusion 
events from log data received from network service devicejs in a computer network, the computer 
system having discrete modules associated with a flmction performed on the log data received, 
the compute system comprising: 

an event parser in communication with multiple at least one network service devices 
d e vic e, the event parser being able to receive log data in real time from the device, the log data 
including information detailing a netwoik intrusion event received from the networic service 
device if an intrusion has occurred, the event parser being able to parse the information to create 
ereate-a corresponding event objects ebjeet concerning the intrusion events e vaat: 

an evOTt manager in communication with the event parser, the event manager being able 
to receive the event objects object , the event manager being configured to evaluate the event 
objects object according to at least one predetemiined threshold condition sxxch that, when the 
event objects satisfy obj e ct Datiofies the predetermined threshold condition, the «vent manager 
designates the event objects ofejeet to be broadcast in real time; 

an event broadcaster in -communication with the event manager for receiving event 
objects designated by the event manager for teoadcast, the event broadcaster being able to 
transmit the event objects obj e ct in real time, relative to the receipt of the log data, as an 
intrusion alann; and 

means for alerting the user that a network intrusion event has occurred. 

2. (original) The computer system of claim 1 wherein the means for alerting the user that a 
network intrusion event has occxirred is a graphical user interface in communication with the 
event broadcaster, the graphical user interface comprising a display screen for displaying an 
intrusion alarm and the information contained within the corresponding event object received 
from the event broadcaster. 
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3. (Previously presented) The computer system of claim 2 wherein the graphic user 
interface is configured to allow a user to initiate queries, and the computer systOTi further 
comprises: 

means for storing event objects, said means coupled to the event parsers; 

a report servlet coupled to the graphic user mterface, the report servlet for recalling stored 
event objects in response to user queries fi:om the graphic user interface and displaying recalled 
event objects on the graphic user interface display screen; 

an application reporter coupled to the report servlet for receiving and processing user 
queries and for performing searches of stored event objects; and 

a database accessible by the application reporter, for holding stored event objects, the 
database configured to recall event objects in response to searches executed by the e?>plication 
reporter. 

4. (Previously presented) The computer system of claim 1 further comprising: 

a network port to receive log data having a conforming message format from at least one 
network service device; 

means for transmitting the log data having a conforming message format to the event 
parsers* said means coupled to the network port; and 

a reporting agent coupled to the network port for collecting log data having a non- 
conforming message format Scorn the at least one network service device and converting the log 
datatoaconforming message format. . 

5. (original) The computer system of claim 4 wherein the conforming message format is 
syslog. 

6. (original) The computer system of claim 2 wherein the graphical user interface display 
screen comprises an alarm console, coupled to the event broadcaster, configured to display 
intrusion alarms, and a report console, coupled to the report servlet, configured to execute 
queries input by a user and display results, wherein the alarm console and event broadcasts are 
displayed simultaneously on the display screen. 
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7. -(original) The computer system of claim 6 wherein the report console is further 
configured to display query result data in summary lines, said summary lines comprising 
hypertext links providing access to further data. 

8. (original) The computer system of claim 6 wherein the alami console displays intrusion 
alarms in summary lines, said summary lines comprising hypertext links providing access to 
further data. 

9. ^original) The computer system of claim 6 wherein the graphical user interfece displays 
the status of network security devices in real time. 

1 0. ^original) The computer system of claim 9 wh^ein the graphical user interface displays 
the status of network security devices in summEuy lines, said summary lines comprising 
hypertext links providing access to further data. 

11. (original) The computer system of claim 10 wherein the graphical user interface displays 
the status of network security devices in a color coded format where saidx:olor designates a 
particular status level for the particular device. 

1 2. (original) The computer system of claim 6 further comprising a chat manager accessible 
to a user from the alarm console for executing electronic ^mmunications links between the user 
and others having an electronic communications link to the computer &}^tem« 

1 3 . (original) The conq>uter system of claim 1 2 wherein the electronic commimications link 
is an on-line link established through a web browser interfile. 

14. (original) The computer system of claim 1 further comprising a plurality of event parsers 
wherein each event parser is configured to receive log data &om a predetermiiied network 
sCTvice device, the plurality of parsers each coupled to the event manager. 

15. (original) The computer system of claim 1 wherein the information contained within the 
event object is read by the event manager and assigned a severity level corresponding to the 
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event type information contained within the event object, and the predetermined threshold 
condition is the assigned severity level, 

16. (Previously presented) The computer system of claim 1 5 wh^ein the severity level is one 
of seven categories for types of events contained within event objects. 

1 7. (original) The computer system of claim 1 further comprising an event aggregator 
module and wherein the event parser is hoxised within the event aggregator module, and log data 
from a multiplicity of network device sources is received by the event parser. 

1 8. (original) The computer system of claim 1 7 wherein the event parser reads log data 
posted in extensible markup language. 

19. (Previously presented) The computer system of claim 3 wherein the computer system is 
one of a multiplicity of computer systems each having a graphic user interface and the computer 
system fhrther comprises a central graphic user interface which accesses at least one of the 
graphic user interfaces of tiie multiplicity of computer systems. 

20. (original) The computer system of claim 1 9 wherein the central graphic user interface 
accesses at least one of the r^ort servlets of the multiplicity of computer systems and 
communicates with at least one of the databases of the multiplicity of computer systems. 

2 1 . <original) The computer system of claim 1 further comprising means for filtering event 
obj ects received by the event manager accordmg to one or more predetennined conditions so as 
to restrict the field of event objects designated for broadcast. 

22. (original) The computer system of claim 4 further comprising means for filtering log data 
received at the network port according to one or more predetemiined conditions so as to restrict 
receipt of corresponding log data by said transmitting means, 

23. (original) The computer system of claim 21 wherein the predetennined conditions are 
application name, host name^ event severity, internal device alann identifications, source 
address, destination address, destination port, and protocol. 
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24. (original) The computer system of claim 22 wherein the predetermined conditions are 
application name, host name, internal device alarm identifications, source address, destination, 
address, destination port, and protocol. 

25. (Currently amended) A method for detecting and monitoring network intrusion events 
from log data received from network service devices in a computer networ k, whoroin the 
netv v ^ork Qorvioo doviooo oomprio e a d e vic e from a group oompriDing a firewall, VPN (virtual 
privat e n e twork) s e rver or router> and e mail se rv e r comprising the steps of: 

receiving log data in real time, the log data including information detailing at least one 
network intrusion event received from the at l e ast on e network service devices, 4©viee wherein 
the network service devices comprise a device from a eroup comprising a firewall, VPN (virtual 
private network) server or router, and e-mail server: 

parsing the log data information to create cr e at e a corresponding event objects efajeet; and 
evaluating the event objects object according to at ieast one predetermined threshold 
condition; 

where the information contained within the event objects e b}e6t satisfies the 
predetermined threshold condition, broadcasting the event object as an intrusion alarm in real 
time, relative to the receipt of the log data, to a display screen on a graphic user interface, 

26. (Previously presented) The method of claim 25 wherein the graphic user interface is 
configured to allow a user to initiate queries, and the method fiirther comprises the steps of: 

storing event objects to a database accessible by an application reporter, the database for 
holding stored event objects, and the database configured to recall event objects in response to 
searches performed by the application reporter in response to user queries; and 

recalUng stored event objects in response to user queries from the graphic user interface 
and displaying recalled event objects on the gr£?>hic user interfiace display screen. 

27. (Previously presented) The method of claim 26 fiu^er comprising the steps of: 
receiving log data in a conforming message format at a network port^ 
transmitting the log data in a conforming message format to event parsers; 
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collecting log data in a non-conforming message format by executing a reporting agent; 

and 

converting the log data to a conforming message format. 
28 » (original) The method of claim 27 wherein the conforming message format is syslog. 

29. (original) The method of claim 25 wh^in the event obj ect intrusion alarm is displayed 
as a hypertext link to further event object information and the method ^irther comprises using a 
display screen interface device to open the hypertext link to reveal further event object 
information on at least one successive display screen frameset. 

30. (original) The method of claim 26 wherein the stored event object is displayed as a 
hypertext link to further event object mformation and the method further comprises using a 
display screen interface device to open the hypertext link f o reveal further event object 
information on at least one successive display screen frameset 

3 1 . (original) The method of claim 25 fiirther comprising the step of filtering log data 
received according to one or more predetermined conditions so as to restrict the receipt of 
corresponding log data. 

32. (original) The method of claim 31 wherein the predetermined conditions are application 
nanie» host name, internal device alarm identifications, source address^ destination address, 
destination p<Mt, and protocol 

33. (Previously presented) The method of claim 25 further comprising the step of opening an 
electronic commuiucations link to other users on the computer system. 

34. (original) The method of claim 33 further comprising the step of sending an electronic 
message over the communications link to other users regarding an intrusion alarm. 

35. (new) A computer system for detecting and monitoring neftvoik intrusion events from log 
data received fipom network service devices in a computer network, the computer system having 
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discrete modules associated with a function performed on the log data received, the computer 
system comprising: 

an event parser in communication with multiple network service devices, the event parser 
being able to receive log data in real time from the devices, the log data including information 
detailing a network intrusion event received from the network service devices if an intrusion has 
occurred, the event parser being able to parse the information to create corresponding event 
objects concerning the intrusion events; 

an ev«it aggregator, the event aggregator being able to filter the event objects based on 
event type and severity; 

an event manager in communication with the event aggregator, the event manager being 
able to receive the event object, the event manager being configured to evaluate the event object 
according to at least one predetermined threshold condition such that, when the event object 
satisfies the predetermined threshold condition, the event manager designates the went object to 
be broadcast in real time; 

an event broadcaster in communication with the event manager for receiving event 
objects designated by the event manager for broadcast, the event broadcaster being able to 
transmit the event object in real time, relative to the receipt of the log data, as an intrusion alarm; 
and 

means for alerting the user tiiat a network intrusion event has occurred, 

36. (new) A method for detecting and monitoring networic intrusion events from log data 
received from network service devices in a computer network, wherein the network service 
devices comprise a device from a group <;omprising a firewall, VPN (virtual private network) 
server or router, and e-mail server comprising the steps of: 

receiving log data in real time from multiple network security devices, the log data 
including information detailing at least network intrusion events received from die network 
service devices; 

parsing the log data information to create corresponding event objects; 

filtering the event objects based on event type and severity; and 

evaluating the event objects according to at least one predetermined threshold condition; 
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where the information contained within an event object satisfies the predetermined 
threshold condition, broadcasting the event object as an intrusion alarm in real time, relative to 
the receipt of the log data, to a display screen on a graphic user interface. 



2604302 2.D0C 



